Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

Making Enterprise Risk Management Personal

They say charity starts at home – so does Enterprise Risk Management (ERM). We can learn a lot from what we do well in our own lives and apply the same principles to our work lives. 

Risk, according to the ISO 31000 standard, is the “effect of uncertainty on objectives”. “Objectives” are the starting point of ERM. You cannot do any meaningful risk management without starting with, and clearly articulating your objectives. This is the critical link between ERM and Strategy.

One of the objectives of most people in their personal lives, I hope, is: To live a long, healthy and fulfilling life.

The second step is to understand what critical processes need to work well in order to achieve our stated objectives. In our personal life example, these critical processes will consist mainly of our vital organs, our heart, liver, kidneys, brain and so on. In your business life, it is the critical processes on which your business depends – in other words, the critical parts of your operating model. Once we understand the critical functions/processes, we can then move to the third step of identifying the risks that could cause the functions/processes to fail.

In your personal life this will include such things as, heart attack, melanoma, lung disease and so on. In your work life it will be a suite of corporate risks including cyber attacks, internal and external fraud, third party failure and so on.

The next stage is to analyse our key risks in detail so we understand their root causes and how they link to the failure of the critical processes and, by default, our objectives. For example, a heart attack may be caused, among other things, from clogged arteries. Clogged arteries, may be caused by cholesterol which in turn could be caused by diet or be hereditary. Heart attack then leads to failure of the heart as a vital organ which leads to the failure of our long and healthy life objective.

We at Protecht, use Bow Tie analysis to analyse and document these parts, connecting root causes, with risk events, with failed critical processes, with objectives.

Lastly, we identify our controls.  For health risk, we may have diet, drugs, regular checkups, surgery etc. These controls can be classified into Preventive, Detective and Reactive, with Preventive operating proactively at the earliest point of the risk, Detective somewhere in the middle of the risk's life while Reactive controls operate at the end of risk's life focused on minimising impact.

Read the eBook: How to get more intimate with your controls and find out how you can build an optimal risk control framework.

An example bow tie for staff absenteeism is shown below: 

BowTie staff.png

Fig 1. Bow Tie analysis example


Source: Protecht.BowTie (available for iOS tablets on the App Store)

Once we have analysed our risks and related controls, we need to manage them i.e. the process of Enterprise Risk Management (ERM).

So how should we manage our health risks? 

  1. Go for a periodic (maybe annual) health check.
  2. Monitor indicators of your health between health checks. A Fitbit can help here.
  3. Be ready for, and manage, any health incident.
  4. Take appropriate actions if you believe health risks are not being adequately managed – additional medication, change of lifestyle and so on.
  5. Ensure that the key treatments you have over your health are effectively working. For example, ensuring you are taking your medication each day.

The process of ERM is the same.

  1. The Health Check is the Risk Assessment
  2. The Fitbit is Key Risk Indicators
  3. Dealing with incidents is Incident Management
  4. Tacking action is Issue and Action Management
  5. Checking treatment effectiveness is Controls Assurance

How healthy are you and how healthy is your business?

Download Free eBook

Related Articles

feature image
Enterprise Risk Management, Operational resilience

Operational resilience

Over the past ten years, consumer banking behaviours have significantly changed. Today, the majority of customers engage banks via digital channels....
Read more
feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more
feature image
Enterprise Risk Management, Health & Safety

Aligning your Workplace, Health & Safety capability with an ERM framework. WHS Series Session1.

What does ERM mean? Enterprise Risk Management (ERM) is becoming increasingly accepted as an integral part of business management processes within...
Read more